Marry IGA with ITSM to avoid the pitfalls of Identity 2.0
Identity 2.0 vendors are about to face a reckoning. For too long, they’ve focused solely on compliance and missed the mark on the adaptability, automation and integration that modern enterprises require. They’ve also emphasized provisioning at a time when business applications are moving to the cloud, where it’s less costly and complex to deploy, manage and scale systems.
These efforts have led many enterprises to overspend on back-office infrastructure, all while leaving gaping holes in their governance strategies. These investments will likely be written off soon as organizations start to grapple with the challenges of identity governance and administration (IGA) in earnest.
Where did the big vendors and Identity 2.0 players go wrong? It seems they were mostly retrofitting identity and access management (IAM) tools into IGA workflows.
Having worked in the identity field for more than 20 years, I can tell you from personal experience that this is not an optimal approach. When I hear Gartner analysts estimate that more than 50 percent of IGA programs are at risk, I am not surprised.
The deficiency of manual approaches to IGA workflows
Take the example of the employee lifecycle. A person can start out as a contractor, but then become an employee, and then subsequently change roles after several months with the company. Each stage of “employee life” has its own unique identity governance parameters. Changing roles also means changing entitlements, with some permissions added and others taken away.
IAM solutions are too coarse-grained to handle such moves, in my experience. That forces admins to do IGA the hard way – taking care of onboarding, job changes, terminations, and so forth by hand. In addition to being a time- and labor-intensive hassle, manual IGA leads to numerous identity management errors.
All too often, manual IGA grants access to new applications or information sources but doesn’t take away old ones, which exposes companies to security and compliance risks. Manual processes for managing patches, password resets, software updates, and more also increase risks. You don’t want an executive accessing highly confidential information from an app that doesn’t require two-factor authentication on a laptop that hasn’t been updated. But if IGA is managed from a spreadsheet, that’s exactly what happens.
The employee lifecycle is only one of the IGA challenges that Identity 2.0 systems are not well-positioned to address. Take for example the expense and integration hassle of onboarding traditional IAM into manual IGA systems. The typical IGA system, like most enterprise systems, exists in a silo. Implementing manual IGA on systems such as HR, CRM, finance, and operations means writing numerous custom integrations. That takes time, and it requires technical expertise that few enterprises have.
Silos present another obstacle. Without access to identity and access data across the organization as a whole, IGA teams do not get the level of real-time insight needed to effectively manage identity, certification and privilege. This impacts the day-to-day operations of the help desk while also making it difficult to determine strategic imperatives for improving governance.
A lack of integration also makes it difficult to retrieve valuable data from enterprise systems and use it effectively, whether for decision-making or compliance reporting. Data pulls need to be done manually and on an ad hoc basic, which leads to a decentralized process that is time-consuming, duplicative, and prone to human error. Auditing becomes difficult, accountability suffers, and leadership has little insight into who’s managing the governance process.
An alternative, IT modernization-centric approach
There are alternatives to adapting large IAM systems to IGA. One promising approach involves putting the IGA workload on an existing IT Service Management (ITSM) platform that most companies run, such as ServiceNow.
Integrating the IGA toolset and workflows with the incumbent ITSM platform offers several distinct operational advantages:
- For one thing, ITSM is already in use for handling a wide variety of IT tasks – including IAM, which is leveraged for managing roles and privileges in the context of IT service delivery. IGA becomes a natural extension of an existing solution, rather than a new system to onboard, manage, learn and administer.
- An existing ITSM platform enables the identity team to automate IGA workflows such as access provisioning, role-based authentication, and password management. Leading ITSM platforms can facilitate, for example, role- and attribute-based policies to grant the right access at different stages of the employee’s lifecycle. In this case, the IGA toolset can provide seamless access to hardware and training in tandem with workflows set up by the IT and HR departments.
- At the same time, the IGA tool can have direct access to other functions on the platform, e.g., security operations and governance, risk management and compliance (GRC). This allows for better informed provisioning decisions, which closes the security and privilege gaps that often grow over time.
- Reporting can be similarly automated using the built-in data visualization features of the ITSM platform. This makes the overall IGA process move more quickly while reducing the errors and delays inherent in manual processes. Automated reporting also streamlines change management and business process management, as it provides an at-a-glance view for decision-makers of the work that needs to be done.
- There are fewer training issues or user experience problems when IGA runs atop a familiar platform. Workers understand the interfaces and workflows. It becomes relatively easy for them to request and approve identity governance services. They won’t have to bookmark a new URL or learn a new way of doing things – a process that’s often forgotten or neglected.
Running an IGA solution built natively for an ITSM platform contributes to maximizing the investment in that platform. It certainly costs less than creating an IGA solution as its own stack. No new skillsets are required, either. Companies thus avoid costly recruit/train/retain struggles that can arise with the big vendor solutions.
Changes to the IGA system are more economical as well; since the IGA sits on top of the ITSM platform, any changes can be coded just once, as opposed to once for every custom integration with a siloed enterprise system.
Ultimately, the integration of IGA with ITSM is extremely favorable because it places IGA functions where those responsible for the work actually “live.” It’s not a big Identity 2.0 solution being dropped on an IT team. Instead, the approach addresses the challenges of IGA at the ground level, with tools that people already know.